Linking of content between installations of a content management system

ABSTRACT

Content maintained in a first repository of a first installation (which can optionally be an on-premise installation) of a content management system, as well as metadata associated with the content, can be shared via an approach in which content items maintained in the first repository are synchronized with a copy of the content items maintained in a second repository of a second installation (which can optionally be a cloud-based installation). The first installation can be optionally firewall protected. The copy of the content items can be accessed by collaborative users both within and external to a firewall. Related systems, methods, products, etc. are described.

CROSS-REFERENCE TO RELATED APPLICATION

The current application claims priority under 35 U.S.C. §119(e) to U.S.provisional patent application No. 61/887,277 filed on Oct. 4, 2013, thedisclosure of which is incorporated herein by reference.

TECHNICAL FIELD

The subject matter described herein relates generally to contentmanagement systems.

BACKGROUND

Enterprise content management (ECM) covers a broad range ofapplications, including document management (DM), Web content management(WCM), records management (RM), digital asset management (DAM), searchof managed content, and the like. A content management system (CMS)suitable for managing the various content (also referred to herein insome examples as “files”) that an enterprise produces or generates,retains or otherwise stores, manipulates or modifies, etc. can supportthe requirements of one or more of such applications, and optionallyother requirements, to provide a coherent solution in which content andmanagement processes are capable of accessing content across a varietyof applications subject to access controls, permissions, and the like.Content managed by a CMS can include one or more of documents, images,photos, Web pages, records, XML documents, other unstructured orsemi-structured files, etc. Content retained in a CMS can also includedirectory structures such as folders, file trees, file plans, or thelike, which can provide organization for multiple content items inaddition to storing or otherwise representing relationships betweencontent item, etc. An “enterprise” can generally refer to anorganization, such as for example a business or company, a foundation, auniversity, or the like, and can have content requirements related toone or more business processes, content uses, etc.

A CMS manages the actual digital binary content, the metadata thatdescribes a context of each content item, associations between a contentitem and other content or content items, a place and classification of acontent item in a repository, indexes for finding and accessing contentitems, etc. The CMS can also manage processes and lifecycles of contentitems to ensure that this information is correct. The CMS can alsomanage one or more workflows for capturing, storing, and distributingcontent, as well as the lifecycle for how long content will be retainedand what happens after that retention period.

A CMS for use in enterprise content management can include one or moreof document management tools, applications, and interfaces to supportgeneral office work, search, and discovery. Workflow managementcapabilities of a CMS can support numerous business processes,optionally including, but not limited to, case management and review andapproval. Collaboration applications and services of a CMS can supportthe collaborative development of information and knowledge in thecreation and refinement of content and documents. Web content managementservices of a CMS, which can be scalable, can support the delivery anddeployment of content from the enterprise to its customers. Recordsmanagement capabilities of a CMS can capture and preserve records basedupon government-approved or other standards. A standards-based platformcan also provide access to applications that use these standards, suchas publishing, image management, email management, etc.

SUMMARY

As discussed in greater detail below, features of the current subjectmatter can enable synchronization of content between repositoriesmanaged by separate installations of a content management system. Insome implementations on-premise content maintained by or otherwiseretained in an on-premise repository (optionally protected by one ormore firewalls) can be synchronized with a cloud copy of that contentmaintained by or otherwise retained in a second repository managed by acloud-based installation of the CMS.

Additional interrelated features relate to establishing authenticationbetween a first repository managed by a first installation of a contentmanagement system and a second repository managed by a secondinstallation of the content management system, linking a content item inthe first repository with a copy of that content item maintained on thesecond repository, and synchronizing a set of metadata between the copyand the content item in the first repository via a push to the secondinstallation of changes to the content item at the first repository forwriting to the copy of the content item at the second repository, andvia a pull to the first installation of changes to the copy of thecontent item at the second repository for writing to the content item atthe first repository, the first installation initiating both the pushand the pull. An external user can access the copy of the content itemin the second repository based on access permissions enforced by thesecond installation.

In some variations, one or more of the following features can optionallybe included in any feasible combination. For example, the changesassociated with the linked content can include at least one of metadatachanges and content changes. The on-premise repository can be protectedfrom access by external users by a firewall, and the cloud-based tenantrepository can be outside the firewall. The cloud copy can include boththe content of the on-premise content and a synchronized set of metadatain common with the on-premise content. Both of the push and the pull canbe initiated by the on-premise installation. The access to thecloud-based tenant repository provided to the external user can includeread access, write access, or both. The on-premise content and the cloudcopy can include one or more of files, folders, and directorystructures. The linkage can be broken such that synchronization betweenthe cloud copy of the on-premise content is stopped.

The synchronizing can occur periodically and can include reading from atenant audit log that records changes to the cloud copy occurring sincea previous synchronization and reading from an on-premise audit log thatrecords changes to the on-premise content occurring since the previoussynchronization. The pull can include querying the tenant audit log atthe tenant repository from the on-premise installation and the push caninclude sending information from the on-premise audit log to the tenant.The on-premise installation can serve as a system of record for changesto the on-premise content while the tenant can serve as a system ofengagement where collaborative changes to the cloud copy of the contentnode occur.

Implementations of the current subject matter can include, but are notlimited to, methods consistent with the descriptions provided herein aswell as articles that comprise a tangibly embodied machine-readablemedium operable to cause one or more machines (e.g., computers, etc.) toperform operations implementing one or more of the described features.Similarly, computer systems are also described that may include one ormore processors and one or more memories coupled to the one or moreprocessors. A memory, which can include a computer-readable storagemedium, may include, encode, store, or the like one or more programsthat cause one or more processors to perform one or more of theoperations described herein. Computer implemented methods consistentwith one or more implementations of the current subject matter can beimplemented by one or more data processors residing in a singlecomputing system or multiple computing systems. Such multiple computingsystems can be connected and can exchange data and/or commands or otherinstructions or the like via one or more connections, including but notlimited to a connection over a network (e.g. the Internet, a wirelesswide area network, a local area network, a wide area network, a wirednetwork, or the like), via a direct connection between one or more ofthe multiple computing systems, etc.

The details of one or more variations of the subject matter describedherein are set forth in the accompanying drawings and the descriptionbelow. Other features and advantages of the subject matter describedherein will be apparent from the description and drawings, and from theclaims. While certain features of the currently disclosed subject matterare described for illustrative purposes in relation to an enterprisesoftware system or other content management software solution orarchitecture, it should be readily understood that such features are notintended to be limiting. The claims that follow this disclosure areintended to define the scope of the protected subject matter.

DESCRIPTION OF DRAWINGS

The accompanying drawings, which are incorporated in and constitute apart of this specification, show certain aspects of the subject matterdisclosed herein and, together with the description, help explain someof the principles associated with the disclosed implementations. In thedrawings,

FIG. 1 shows a diagram illustrating features of a CMS architectureconsistent with implementations of the current subject matter;

FIG. 2 shows a diagram illustrating features of multi-tenancy softwareinstallations that may relate to one or more implementations of thecurrent subject matter;

FIG. 3 shows a diagram illustrating features of synchronization sets andaudit logs consistent with implementations of the current subjectmatter;

FIG. 4 shows a process flow diagram illustrating aspects of a methodhaving one or more features consistent with implementations of thecurrent subject matter; and

FIG. 5 shows another process flow diagram illustrating aspects of amethod having one or more features consistent with implementations ofthe current subject matter.

When practical, similar reference numbers denote similar structures,features, or elements.

DETAILED DESCRIPTION

Currently available approaches to enterprise content managementgenerally do not include capabilities relating to linking andsynchronizing of on-premise content from an organization's contentmanagement system installation, which is typically protected by one ormore network security controls, such as for example a firewall, with acloud-based tenant site that supports collaboration between users. Atypical enterprise may own or otherwise manage or have custodialresponsibility for content subject to a range of access controls. Somecontent of the enterprise may be freely sharable, while some othercontent may be highly confidential or otherwise subject to significantsecurity control. However, a third type of content of the enterprise mayexist somewhere between these two extremes. As an example, a document orother content item may be confidential while also requiringcollaboration with one or more users who are external to the enterpriseand who therefore lack access to content maintained in a repositoryprotected by the enterprise's firewall. Allowing such users accessthrough the firewall is typically not preferred due to security concerns(e.g. a desire or need to constrain access by such a user only to one ormore documents related to the collaboration.

Implementations of the current subject matter can address this need bysupporting features relating to maintaining synchronization of contentitems maintained in repositories of two separate installations of acontent management system. Accordingly, a secure repository, for examplea first repository protected by a firewall, can maintain theenterprise's content in a secure manner while a second repository, forexample a cloud-based repository accessible to users who haveappropriate permissions for accessing a tenant of a second contentmanagement system outside of the firewall, can maintain a copy of atleast some of the content. External users can then access the tenantaccording to their permissions to view and optionally modify the copy ofthe content. Synchronization between the content at the first repositoryand the copy of the content in the second repository can be achievedunder the control of the first installation, for example by a pull ofchanges to the content copy from the second repository and a push ofchanges to the content in the first repository to the second repository.One or more features discussed herein or that are similar or equivalentto such features can be employed in such an arrangement.

As referred to herein, a content management system generally includes atleast one programmable processor executing some form of machine-readableinstructions (e.g. software code, etc.) to provide one or more contentmanagement functions. Alternatively or in addition, computer hardwarecan be configured to perform one or more of the operations or the likedescribed herein. The term firewall is generally used throughout thisdisclosure to refer to network security controls, features,functionality, etc. that restrict access to users outside of thefirewall to content retained on one or more repositories inside of thatfirewall.

Various implementations of the current subject matter can, among otherpossible benefits and advantages, provide the ability to synchronize oneor more of folders, files, directory structures, or the like (alsoreferred to herein as content items), and business processes from afirst (e.g. an “on-premise”) installation of a CMS to a second (e.g. a“cloud-based”) CMS installation that supports permission-controlledaccess (optionally through the use of one or more protectedcollaboration sites) for users inside and outside of an enterprise.Content items can be synchronized from the on-premise CMS installationto the collaboration site hosted in the cloud CMS installation. Amongother possible benefits or advantages, this feature can allow theestablishment of a secure extranet for collaboration among users, enableremote (e.g., “out of the office”) access for one or more users tocontent items retained in the on-premise CMS installation, etc. Whilethe examples discussed below are generally framed in the context of afirst, on-premise CMS installation having an on-premise repositoryprotected by a firewall and a second, cloud-based CMS installationhaving a cloud-based repository, this configuration is not intended tobe limiting. Rather, the current subject matter can also include contentsynchronizations between two cloud-based repositories maintained by twocloud-based CMS installations, between two on-premise repositoriesmaintained by two on-premise CMS installations, and between acloud-based CMS installation having a cloud-based repository and anon-premise CMS installation having an on-premise repository where thecloud-based installation initiates synchronization. Accordingly,elsewhere herein and in the claims, a “first installation” can beconsidered as a “master” CMS installation that initiates push and pullcommunication with a second installation, which can be considered as a“slave” CMS installation to which content is synchronized.

Services and controls for managing content of a CMS consistent withimplementations of the current subject matter can include features suchas metadata management, version control, lifecycle management, workflow,search, associations to other content, tagging, commenting, etc. thatallow users of the CMS to find desired content items among very largecontent collections that can span multiple parts of an enterprise.Accuracy and consistency of the information can also be ensured, evenfor very large content collections across an enterprise. Content andother information in a CMS can be presented, published, etc. through theWeb or any other channel appropriate to allow users to access thatinformation.

In addition to supporting features typical of a cloud-based or “softwareas a service” (SaaS) software delivery model, a synchronization schemeconsistent with the descriptions provided here can provide a number ofdesirable features. For example, the current subject matter can supportautomatic synchronization of content between one or more CMS-managedrepositories that are inside of a firewall and a copy of one or morecontent items that are made accessible to authorized collaborating usersof the collaboration site in the cloud. Such features can enhance easeof engagement and collaboration both between users within anorganization and other collaborating users who are external to theorganization.

As described in greater detail below, synchronization can be supportedfor individual and multiple files, folders, folder hierarchies, andother directory structures between the “on-premise” and “cloud-based”repositories. As an illustrative example, FIG. 1 shows a diagram of asynchronization architecture 100 in which on-premise content 102 storedin a repository 104 of an on-premise installation 106 of a CMS isrestricted from being accessed by an external user 108 who is outside ofa firewall 110. A first internal user 112 who is inside the firewall 110has access permissions (which can include one or more of ownership,authorship, read/write permission, etc.) to the on-premise content 102.A second internal user 114 who is inside the firewall 110 can optionallybe restricted from accessing the on-premise content 102, for example dueto a differing role or permission set of the second internal user 114.Also as shown in FIG. 1, a cloud-based installation 120 of the CMS caninclude tenant-isolated access to a cloud-based repository 122. As usedherein, the term “on-premise content” refers generally to contentretained in the on-premise repository 104 and available forsynchronization with a location (e.g. a tenant, a site, a folder, adirectory tree, a document, etc.) 124 in the cloud-based installation120. The on-premise content 102 can include a single content file ormultiple content files. Alternatively or in addition, the on-premisecontent 102 can be synchronized at a higher directory level, such as forexample by linking one or more folders, file trees, other directorystructures, etc. such that a linked folder, file tree, other directorystructure, etc. as well as any other content items included within thelinked folder, file tree, other directory structure, etc. are replicatedin the tenant as the cloud copy 102A. For a synchronized multi-leveldirectory structure, file tree, set of folders, etc., anysub-directories, branches of the file tree, sub-folders, etc. are alsoreplicated to the cloud copy 102A and synchronized.

Tenant-isolated access refers to a multi-tenancy arrangement in which aninstallation of a software application 202 runs on a server (or multipleservers) to support multiple client-organizations (tenants).Multi-tenancy differs from multi-instance architectures where separatesoftware instances (or hardware systems) operate on behalf of differentclient organizations. FIG. 2 shows a diagram 200 illustrating a basicmulti-tenant arrangement. In a multi-tenant architecture, the softwareapplication 202 running on the one or more servers 204 virtuallypartitions its data and configuration within one or more data storagesystems 206 accessible by the one or more servers 204. The one or moredata storage systems 206 can include one or more hard drives, flashmemory, RAM, optical storage, or any other kind of information storingdevice. Each of multiple client organizations can optionally work with acustomized virtual application instance supported by one of multipletenants 210. Data in the one or more repositories 206 that are specificto a given tenant of the multiple tenants 210 are accessible only toauthorized users of that tenant. Given this definition of amulti-tenancy arrangement, it will be readily understood that referencesherein to a cloud-based repository 122 are intended to refer broadly todata accessible to and isolated within a tenant of a multi-tenantimplementation of a software as a service offering of a softwareapplication 202, which in this example is a content management system.Such a tenant can optionally be further partitioned to include discretesites (e.g. collaboration sites) to which various users can be granteddesired access permissions (e.g. read, write, delete, create, etc.)

Referring again to FIG. 1, the first internal user 112 can link orotherwise create a linkage between one or more content items of theon-premise content 102 in the repository 104 of the on-premiseinstallation 106 of the CMS and a cloud copy 102A of the one or morecontent items 102. The cloud copy 102A can exist in the cloud-basedrepository 122 and be isolated to provide access only to authorizedusers of a specific location 124 within the cloud-based installation 120of which the first internal user 112 is an authorized user. The cloudcopy 102A can include both the content of the on-premise content 102 aswell as a set of common metadata. One way in which content items can belinked is through definition of a synchronization set indicating whichcontent items 102 are to be linked and also a destination to which theyare to be linked. The destination can be a location 124 such as a tenantor optionally a more granular definition e.g. a site, a folder, a file,etc. The set of metadata are synchronized between the cloud copy 102Aand the on-premise content 102 in the repository 104 of the on-premiseinstallation 106 as discussed in greater detail below.

This synchronization can occur automatically. Communications necessaryto ensure synchronization of changes to the set of metadata and/or tothe content of the on-premise content 102 or the cloud copy 102A of thecontent are initiated from the on-premise installation 106 of the CMS.In other words, changes made to the content item (e.g., changes incontent or metadata relating to the on-premise content 102) from insidethe firewall 110 are pushed to the location 124 to be reflected in thecloud copy 102A while changes to the cloud copy 102A occurring withinthe location 124 are pulled to the on-premise installation 106 of theCMS to be reflected in the on-premise content 102. Exchange of thesynchronization information can occur over secure communicationchannels, such as for example HTTPS connections or the like. Becauseinitiation of all communication actions necessary to synchronize changesmade to either of the cloud copy 102A or the on-premise content 102occurs from the on-premise installation 106, opening of the firewall 106is unnecessary. The first internal user (and optionally other users ofthe on-premise installation 106 with administrator or ownership rightsto the content item) can determine one or more parameters that dictatewhat information can be synchronized (e.g. to ensure the sensitivecontent remains on-premise), how conflicting changes to one or the otherof the cloud copy 102A and the on-premise content 102 are resolved, etc.Such parameters can also be defined with the synchronization set.

Consistent with some implementations of the current subject matter, asynchronization process can include establishing authentication betweenthe location 124 and the on-premise installation 106. In some examples,authentication can be established through interaction of the firstinternal user 112 with one or more user interface elements, such as forexample a window, navigation pane, or other display feature includingone or more user interface elements, an inline prompt, etc. The firstinternal user 112 can be requested to supply authentication credentialson a first request to set up a synchronization between a content itemheld within the firewall-protected installation of the contentmanagement system, and the authentication credentials can be saved, forexample in a secure credentials store or the like from which theauthentication credentials can later be retrieved for use in futureauthentication, linking, and synchronization actions. Optionally, theauthentication credentials can be checked for accuracy when they areentered to prevent, for example, an incorrect password, username, orother credentials, from being saved in the secure credentials store. Insome examples, an oAuth implementation or the like can be used toestablish authentication of the first internal user 112.

The first internal user 112 can be allowed to synchronize the on-premisecontent 102 between the firewall-protected on-premise installation 106and a location 124 (e.g. a tenant, a site, a folder, a directory tree, adocument, etc.) within the cloud-based installation 120 to which thefirst internal user 112 has authorized access. The location 124 can havemultiple users connecting to it at the same time to allow collaboration.One or more of the multiple users can be an external user 108 or asecond internal user 114 within the on-premise installation 106. Thefirst internal user 112 can optionally be limited to storing thecredentials for only the location 124.

As a further explanation, any given internal user (e.g. the firstinternal user 112) can have two user identifications, one for thelocation 124 and one for the on-premise installation 106. Multipleinternal users can have permissions to access, edit, etc. the on-premisecontent 102 via the on-premise installation. Similarly, one or moreinternal users 112, 114 as well as one or more external users 108 whohave or are given access to the location 124 can access the cloud copy102A of the content item. The first internal user 112 can be capable ofsynchronizing the on-premise content 102 with any tenant (e.g. cloudbased instance of the CMS) to which the first internal user 112 hasauthorized access to create and update content.

Consistent with some implementations, the first internal user 112 (e.g.the user creating a synchronized link for content 102 to the cloud) canbe granted permissions for access to sites or folders within a location124 at a finer level of granularity than per tenant. For example, alocation 124 (e.g. a tenant) can include one or more “sites” as well asfolders or other directory structures than can exist within separatesites in a tenant. Permissions can be defined at a site level, at afolder or subfolder level, at a directory tree or branch level, at atenant level, etc. The first internal user 112 can, for example, be ableto select a first folder (e.g. “Folder A”) as a target for synchronizingbut not a second folder (e.g. “Folder B”), even if both Folder A andFolder B are inside the same site in a same tenant or other location 124that includes sub-structures such as sites, folders, directories, etc.These permissions can optionally be defined within the synchronizationset.

Similarly, while a tenant can contain many sites, the first internaluser 112 may only be able to see a subset of those sites, and may beable to create and update content in an even smaller subset of thosesites. Implementations of the current subject matter can support accesscontrols such as these or other comparable scenarios, and in generalallows an on-premise user to sync content only to a location 124 in thecloud-based installation (e.g. a tenant+a site within the tenant+afolder within the tenant, or the like) to which they have create andedit permissions.

Once authentication between the tenant or other location 124 and theon-premise installation 106 is established, the first internal user canselect one or more content items 102 to be linked between the on-premiseinstallation 106 and the tenant or other location 124. In one exampleconsistent with implementations of the current subject matter, thisselection can be accomplished through an on-premise document library,which generally refers to a user interface view of a file directorystructure that enables user navigation through content items accessiblewithin the repository 104 of the on-premise installation 106. The firstinternal user 112 can select one or more folders or files (e.g. contentitems—the term files is also herein interchangeably with content items)to sync through interactions with document library functionality.

Synchronization between on-premise content 102 and a cloud copy 102A ofthat content can be based on a concept of synchronization sets, whichgenerally include a group of one or more files, folders, etc. that syncto a particular location and optionally also include other informationabout access permissions, destinations for the synchronized copies ofthe content items, rules for synchronization, etc. If the first internaluser 112 selects multiple content items (e.g. files) for linking betweenthe on-premise installation 106 and the location 124, these multiplefiles can be grouped together as a single synchronization set. If thefirst internal user 112 selects only one file, a synchronization setcontaining a single node will be created. The term node is used hereinto refer to a file, a folder, or other content items as it isrepresented in a repository (either the on-premise repository 104 or thecloud repository 122). A user that creates a synchronization set (e.g.,the first internal user 112 in the example described here) owns thatsynchronization set, which uses that user's cloud credentials tosynchronize the files included in the synchronization set between theon-premise repository 104 and the cloud-based repository 122. Linkagesbetween content in the on-premise repository 104 and the tenant can beestablished for individual files or for folders or other file directorystructures that can contain multiple individual files and/or subfolders.

As noted above, synchronization of changes occurring to either of acloud copy 102A or the on-premise content 102 itself occurs via apush/pull process that is initiated from the on-premise installation106. Pushing and pulling of changes can be accomplished on asynchronization set by synchronization set basis. In some examples,synchronization management can be accomplished on an individual filebasis while the synchronization sets are managed by the system. In otherimplementations, administrator and/or user level synchronization setmanagement features can be made available. Synchronization managementactions (such as for example un-synchronizing a cloud copy 102A andon-premise content 102 in the on-premise repository 104) are generallyrequired to be performed at the same file directory level included bythe first internal user 112 within the original linkage. For example, ifthe first internal user 112 links a folder (e.g. a file directorystructure that can contain one or more files or sub-folders) as part ofa synchronization set, un-synchronizing of content within the folderoccurs atomically rather than on an item or sub-folder basis for contentor subfolders within the folder.

As illustrated in FIG. 3, synchronization of changes between the cloudcopy 102A and on-premise content 102 can be facilitated through the useof change auditing based on an on-premise audit log 302 maintained foron-premise content 102 to be synchronized and a tenant audit log 312maintained for the cloud copy 102A. When a content node 102 (e.g. afile, content item, etc.) is added to a synchronization set 308, amarker aspect 310 can be associated with the content node 102 such thatchanges to the content node 102 or its synchronization set membershiptriggers an entry in the on-premise audit log 302 for thesynchronization set 308. The first entry in the on-premise audit log 302for a synchronization set 308 can include the addition of the contentnode 102 to the synchronization set 308, thereby triggering creation ofthe cloud copy 102A of the node on the location 124. Periodically (e.g.on some time interval, which need not be constant and can in one examplebe approximately every 10 seconds or the like) the on-premise audit log302 is checked for changes and any synchronization changes found aresent (e.g. pushed by the on-premise CMS installation 106) to thelocation 124. Changes to the synced cloud copy 102A are also stored in atenant audit log 312 and are pulled by the on-premise installationperiodically (e.g. approximately every 60 seconds or the like).

Consistent with some implementations of the current subject matter,changes occurring to either the on-premise content node 102 or the cloudcopy 102A can be aggregated such that a “final” state of the node 102 ispushed from the on-premise installation 106. This “final” state of thecontent node 102 at each push event can be retained as a version to theextent that any changes have occurred since the previous pushcommunication. Versions need not be created for each interim statebetween sequential communications of entries in either of the on-premiseaudit log 302 or the tenant audit log 312. However, a version of thenode 102 can be explicitly created each time a change is pushed, even ifthe change includes only a property change and even if the on-premiserepository 104 is configured to not retain versions for changes thatonly include property changes.

The on-premise audit log 302 and the tenant audit log 312 can each havea relatively fine level of granularity regarding changes made to eitherof the content node 102 or the cloud copy 102A of the content node. Inother words, rather than merely recording that a change has occurred toa content node (either on-premise or in the cloud), the respective auditlogs 302, 312 can record the specific properties of the node that havechanged. As an example, a content node can include associated metadata.If a user, either in the tenant or other location 124 or on-premise,makes a change that affects a property of the associated metadata, thisspecific change can be recorded in the appropriate audit log 302, 312.On the next push or pull communication sequence initiated by theon-premise installation 106 to synchronize the on-premise content 102with the cloud copy 102A, only those parts of the metadata for which achange has occurred are pushed or pulled to or from the location 124.The audit logs 302, 312 can therefore be considered as a queue of deltasto content and/or metadata of a content node 102 (or to a cloud copy ofthe content node) that have occurred since a last successfulsynchronization communication between the on-premise installation 106and the location 124.

The messaging exchanged between the on-premise installation 106 and thelocation 124 to relay entries in the audit logs 302, 312 can optionallyinclude an aggregated set of a plurality of deltas that are not mutuallyinconsistent. In other words, a synchronization message can include aset of queued deltas that can be applied atomically. If two conflictingchanges are reflected in one of the audit logs 302, 312 (e.g. if twodifferent users made conflicting changes to a title or other metadata ofthe content node 102), the conflicting changes are not packaged into asingle message but are instead communicated separately. In this manner,a “current” synchronized version of the content node 102 or cloud copy102A of the content node can be assembled based on a single messageexchanged at each push or pull synchronization. This assembly of asynchronized version can be made possible by the atomicity of themessages, which prohibits the inclusion of conflicting deltainformation. The separate communication of any conflicting deltainformation can result in potentially inconsistent versions of thecontent node 102 or cloud copy 102A. These inconsistent versions can behandled according to conflict resolution rules. Examples of such rulescan include designating that either the most recent version of the cloudcopy 102A or the most recent version of the on-premise content node 102always “wins” in a conflict, giving precedence to changes made by acertain user or type of user if a conflict occurs, etc.

The node content and any properties from content models that exist bothin the location 124 (i.e. in the cloud-based repository 122 accessibleto the location 124) and in the on-premise repository 104 can besynchronized. When the synchronization is established, a list ofmetadata to be synchronized can be explicitly enumerated. This list ofmetadata can be defined globally, such that a content node 102 havingthe enumerated metadata properties synchronizes those properties with asynchronized cloud copy of the content node 102.

Multiple on-premise repositories can synchronize content independentlyof one another to multiple tenants in the cloud. It is also possible formultiple distinct on-premise repositories to synchronize content intodifferent locations in a single location 124 (e.g. a tenant).Accordingly, the tenant audit log 312 for a given tenant can includechanges relevant to synchronization sets for on-premise content formultiple on-premise repositories including the on-premise repository 104shown in FIG. 1. Consistent with illustrative implementations of thecurrent subject matter, pull synchronization can involve communicationsbetween the on-premise installation 106 and the location 124 at twolevels of granularity. For communication efficiency and data securityreasons, the on-premise repository 104 can make periodic requests to thelocation 124 for a high-level “change manifest” of relevant changes.This change manifest can include a coarse-grained listing of any contentitem changes that are relevant for that particular on-premise repository104 but need not include any information on changes that are relevant toother on-premise repositories besides the on-premise repository 104. Forexample, the coarse-grained listing can optionally include identifiersof content items that have changed, and/or identifiers ofsynchronization sets containing content items that have changed withoutincluding specifics about the changes themselves. The specifics can berequested to be sent in a second communication using the identifiersprovided in the change manifest. Examples of irrelevant changes caninclude, but are not limited to, changes to content items synchronizedwith other on-premise repositories. The server or servers hosting themulti-tenant, cloud-based instance of the CMS can support thisfunctionality, for example through storage in tenant audit logs 312 of asource repository identifier for each change and through audit logqueries which can be filtered by the source repository identifier. Forexample, the source repository identifier, which identifies a on-premiserepository 104 to which a copy 102A in the cloud repository 122 islinked, can be provided when the synch-set is initially created in thetenant, site, folder, etc. in the cloud and never changes.

In this manner, an on-premise repository 104 can request a changemanifest and only be notified of synchronization sets having thatparticular on-premise repository 104 as their origin and actuallycontaining unpulled changes. In the event that the change manifest isempty, no further communications from the on-premise repository 104 tothe cloud server are required until the next periodic check begins. Inthe event that the change manifest contains any synchronization setidentifiers, the on-premise repository 104 can then request moredetailed change information from the location 124 (e.g. in the form of amore fine-grained set of change descriptions that includes a detailedrecord of changes to any content item indicated in the change manifest)and perform the actual synchronization of content and/or metadata bymodifying the changed content items based on the received set of changedescriptions.

As a simplified example of this communication, a first on-premiserepository 104 can send a message or other communication to the location124. The message can include an identifier of the first on-premiserepository 104 and an inquiry regarding whether the tenant audit log 312includes any synchronization changes relevant to content held in thefirst on-premise repository 104. The location 124 (e.g. a tenant, asite, etc.) can reply with a manifest including identificationinformation for any synchronization sets relevant to the inquiringon-premise repository 104 (e.g. “changes have occurred insynchronization sets 1, 2, 4, and 42”). Optionally, the reply can alsoinclude an identifier of one or more content items within thesynchronization set that have experienced a change since a lastsynchronization.

The first on-premise repository 104 can then request a detailed set ofchange descriptions relevant to its synchronization set 1, and thelocation 124 can reply with the requested detail so that the firston-premise repository 104 can write the pulled changes to the affectedon-premise content 102, optionally with conflict handling andacknowledgement sent to the location 124 that the changes weresuccessfully pulled. This pull process can then be repeated for theother synchronization sets identified in the manifest (e.g.synchronization sets 2, 4, and 42 in this example).

If a node is synchronized as part of a folder synchronization, then thedirectory structure is also synchronized (e.g. the directory structurein the location 124 remains the same as the directory structureon-premise). However, if a content node is synchronized individually,then just the content node 102 and its cloud copy 102A are synchronizedsuch that location of the content node 102 within the directorystructure both on premise and at the tenant can be changed by moving thecloud copy 102A of the content node. Changing of a directory structurelocation of the cloud copy 102A in the tenant can cause an equivalentchange to occur to the on-premise content node 102 throughsynchronization.

Further to the above discussion, in the case where a folder structure orother director structure is synchronized, a file that is located insidethat folder structure can be moved to another location within the samefolder structure. When that happens, the move can be reflected correctlyat the other end of the synchronization link. Additionally, if a fileinside that synchronized folder structure is moved outside of thatfolder structure in the on-premise repository, then that file is removedfrom the synchronization set and can be removed from the location 124 inthe cloud. If a file inside one synchronized folder structure is movedinto a different synchronized folder structure in the on-premiserepository 104, then that file can be removed from the firstsynchronization set and added to the second synchronization set. Thesetwo changes can then be reflected in the linked locations (e.g. in atenant or multiple tenants as it is possible that the secondsynchronization set is linked to a different tenant than the tenant ofthe location 124).

The first internal user 112 who established the synchronization ofon-premise content 102 with the location 124 can choose at a later timeto unsynchronize the linked content node 102 from the cloud copy 102A.When this unsynchronization occurs, the marker aspect 310 associatedwith the content node 102 is removed and an unsynchronization record isadded to the on-premise audit log 302. Deletion of the content node 102from the on-premise repository 104 can also result in theunsynchronization record being added to the on-premise audit log 302.When the CMS on-premise installation 106 queries the on-premise auditlog 302 for changes, it finds the node unsynchronization record andpushes it to the location 124 just as any other change. The cloud copy102A can optionally be deleted upon receipt at the location 124 of theunsynchronization record. Alternatively, the cloud copy 102A can beretained at the tenant. However, further changes to the cloud copy 102Aare not pulled back to the on-premise content node 102, as thesynchronization link has been removed, or in some cases the on-premisecontent node 102 has been deleted.

In some examples, an on-premise content node that is synchronized with acloud copy 102A at the location 124 can be locked such that only changesto the cloud copy 102A are allowed. In other words, while the on-premisecontent node 102 is synchronized with the cloud copy 102A, theon-premise node 102 is available only for read access. This approach canassist in maintaining consistency in versions of the content node 102.Both external users 108 and first and second internal users 112 and 114(as well as other internal and external users) can collaborate using acollaboration site established in the tenant. The on-premiseinstallation 106 of the CMS can thereby serve as the system of recordfor changes to the content node 102 while the location 124 (e.g. atenant, site, folder, etc.) serves as a system of engagement wherecollaborative changes to the cloud copy 102A of the content node occur.The changes to the cloud copy 102A are periodically pulled back to theon-premise installation for recording and versioning. The cloud copy102A can hold the most up-to-date version of the content. The on-premisecopy 102 can “lag behind” the cloud copy 102A, so after a change is madein the cloud repository 122 there exists a short period of time duringwhich the on-premise content 102 does not reflect the latest version inthe location 124.

It is possible for a content node 102 and its cloud copy 102A to haveboth changed substantially concurrently (e.g. during the time delaybetween sequential push or pull synchronization communications).Consistent with implementations of the current subject matter, anassumption can be made that the short period between synchronizationcommunications makes conflicts unlikely. To facilitate collaboration inthe cloud, conflicts can be resolved based on a “Cloud wins” approach toconflict resolution. If a file changes at both the on-premise side andthe tenant substantially simultaneously, then the on-premise node 102can be versioned and overwritten with the cloud copy 102A. The changedstate of the on-premise content node 102 is not lost—versioning of thisstate ensures that a full log of changes is retained to allow laterresolution or inclusion of partially conflicting changes. A user canview the version history and can revert or update as necessary.

Other features consistent with implementations of the current subjectmatter can address error handling in the event of a communicationfailure between the on-premise installation 106 and the location 124.When synchronization of a linked content node 102 with its cloud copy102A fails, an error aspect 314 (see FIG. 3) can be applied to the onpremise content node 102. The error can be transient (e.g. a temporarycommunications failure with the tenant, an authentication failure, etc.)or a more “permanent” hard error that require a user interaction tosolve (e.g. a name conflict in the sync folder or a permissions changemeaning that a target folder is no longer writable). In either of thosecases, an appropriate error aspect 314 (e.g. indicative of a transienterror or a hard error) is applied to the on-premise content node 102,and the user can be notified through one or more user interfaceindicators (e.g. in a document library screen). The error aspect 314 canaffect how the audits work. When a transient error occurs, theon-premise audit log 302 continues to keep a record of changes such thatthe system automatically recovers when the transient error is resolved.The location 124 can be unaware of the transient error due tocommunications all beginning from the on-premise installation. As such,the tenant audit log 312 can continue to record changes to the cloudcopy 102A of the content node during the transient error, and thesechanges can be pulled back to the on-premise installation 106 uponresolution of the transient error.

When a hard error occurs, the on-premise audit log 302 clears currententries, stops recording changes, and only resumes when the usermanually requests a re-synchronization. A re-synchronization requesttriggers a full push of the content node 302 if the content node includethe hard error aspect 314. If the push of the content node 102 failsagain, then the error aspect will be reapplied.

FIG. 4 shows a process flow chart 400 illustrating features that can beincluded in a method consistent with implementations of the currentsubject matter. At 402, content (e.g. content items) is linked between afirst (optionally an on-premise) repository managed by a firstinstallation of a content management system and a second (optionally acloud-based or tenant) repository managed by a second installation ofthe content management system. As discussed above, the on-premiserepository can be protected from access by external users by a firewall,and the cloud-based tenant repository can be outside the firewall. Oneor more synchronization sets can define the content to be synchronizedbetween the first repository and the second repository.

At 404, the first repository can request a change manifest listingchanges associated with the linked content from the second repository,for example by sending a request for a change manifest to the secondinstallation of the content management system managing the secondrepository. The request can include a repository identifier identifyingthe first repository. The changes associated with the linked content caninclude at least one of metadata changes and content changes.

In response to the request, the first repository can receive the changemanifest from the second repository at 406. The change manifest caninclude a synchronization set identifier identifying a synchronizationset that includes a content item of the linked content that has beenchanged at the second repository subsequent to a previoussynchronization between the first repository and the second repository.The change manifest can also optionally include a content itemidentifier identifying the content item that has been changed at thesecond repository.

At 410 the first repository requests a detailed set (e.g. a record) ofchange descriptions of the changes associated with the linked content inthe synchronization set. These changes associated with the linkedcontent include changes made at the second repository to the contentitem identified by at least the synchronization set identifier andoptionally by the content item identifier.

At 412, a set of change descriptions that includes the detailed recordof changes to the content item is received at the first installationfrom the second installation. The detailed set of change descriptionscan be configured to be written to the linked content in the firstrepository. At 414, the content item at the first repository can bemodified based on the set of change descriptions.

FIG. 5 shows another process flow chart 500 illustrating features thatcan be included in a method consistent with implementations of thecurrent subject matter. At 502, authentication is established betweenfirst (optionally on-premise) repository managed by first (optionallyon-premise) installation of a content management system and a second(optionally cloud-based tenant) repository managed by a second(optionally cloud-based) installation of the content management system.The first installation can be protected from access by an external userby a firewall or other security protocol that limits access from userswho are not inside the firewall.

At 504, a linkage is created between on-premise content in theon-premise repository and a cloud copy of the on-premise content thatexists in a collaboration site maintained on the cloud-based tenantrepository. In other words, a content item maintained by the firstrepository is linked with a copy of the content item maintained by thesecond repository. The copy includes both the content of the on-premisecontent and a set of metadata in common with the on-premise content andis accessible by an external user subject to one or more access controlsenforceable by the second installation.

The set of metadata are synchronized between the copy of the contentitem and the content item in the first repository at 506. Thesynchronizing occurs via a push of first changes to the content to thetenant for writing to the cloud copy and via a pull of second changes tothe cloud copy for writing to the on-premise content. Both of the pushand the pull are initiated by the on-premise installation.

At 510, access to the cloud copy is allowed for the external user, whichcan optionally include inviting the external user to a site, a tenant, afolder, or the like. More generally, access for the external user can bebased on based on access permissions enforced by the secondinstallation, which can be defined by an internal user who haspermissions to both of the first installation and the secondinstallation. For example, access can be based on input from an internaluser who requests or otherwise initiates the linking of the content itemand the copy, or can be defined based on access permissions in astructure (e.g. a site, a folder, a directory sub-tree, etc.) thatalready existed at the second installation and that was designated as adestination for the linked copy of the content item. The structure canoptionally be a public site accessible to an external user withsufficient network access. The copy of the content item and the contentitem can be unsynchronized by breaking the linking between them.

One or more aspects or features of the subject matter described hereincan be realized in digital electronic circuitry, integrated circuitry,specially designed application specific integrated circuits (ASICs),field programmable gate arrays (FPGAs) computer hardware, firmware,software, and/or combinations thereof. These various aspects or featurescan include implementation in one or more computer programs that areexecutable and/or interpretable on a programmable system including atleast one programmable processor, which can be special or generalpurpose, coupled to receive data and instructions from, and to transmitdata and instructions to, a storage system, at least one input device,and at least one output device. The programmable system or computingsystem may include clients and servers. A client and server aregenerally remote from each other and typically interact through acommunication network. The relationship of client and server arises byvirtue of computer programs running on the respective computers andhaving a client-server relationship to each other.

These computer programs, which can also be referred to programs,software, software applications, applications, components, or code,include machine instructions for a programmable processor, and can beimplemented in a high-level procedural language, an object-orientedprogramming language, a functional programming language, a logicalprogramming language, and/or in assembly/machine language. As usedherein, the term “machine-readable medium” refers to any computerprogram product, apparatus and/or device, such as for example magneticdiscs, optical disks, memory, and Programmable Logic Devices (PLDs),used to provide machine instructions and/or data to a programmableprocessor, including a machine-readable medium that receives machineinstructions as a machine-readable signal. The term “machine-readablesignal” refers to any signal used to provide machine instructions and/ordata to a programmable processor. The machine-readable medium can storesuch machine instructions non-transitorily, such as for example as woulda non-transient solid-state memory or a magnetic hard drive or anyequivalent storage medium. The machine-readable medium can alternativelyor additionally store such machine instructions in a transient manner,such as for example as would a processor cache or other random accessmemory associated with one or more physical processor cores.

To provide for interaction with a user, one or more aspects or featuresof the subject matter described herein can be implemented on a computerhaving a display device, such as for example a cathode ray tube (CRT) ora liquid crystal display (LCD) or a light emitting diode (LED) monitorfor displaying information to the user and a keyboard and a pointingdevice, such as for example a mouse or a trackball, by which the usermay provide input to the computer. Other kinds of devices can be used toprovide for interaction with a user as well. For example, feedbackprovided to the user can be any form of sensory feedback, such as forexample visual feedback, auditory feedback, or tactile feedback; andinput from the user may be received in any form, including, but notlimited to, acoustic, speech, or tactile input. Other possible inputdevices include, but are not limited to, touch screens or othertouch-sensitive devices such as single or multi-point resistive orcapacitive trackpads, voice recognition hardware and software, opticalscanners, optical pointers, digital image capture devices and associatedinterpretation software, and the like.

The subject matter described herein can be embodied in systems,apparatus, methods, and/or articles depending on the desiredconfiguration. The implementations set forth in the foregoingdescription do not represent all implementations consistent with thesubject matter described herein. Instead, they are merely some examplesconsistent with aspects related to the described subject matter.Although a few variations have been described in detail above, othermodifications or additions are possible. In particular, further featuresand/or variations can be provided in addition to those set forth herein.For example, the implementations described above can be directed tovarious combinations and subcombinations of the disclosed featuresand/or combinations and subcombinations of several further featuresdisclosed above. In addition, the logic flows depicted in theaccompanying figures and/or described herein do not necessarily requirethe particular order shown, or sequential order, to achieve desirableresults.

In the descriptions above and in the claims, phrases such as “at leastone of” or “one or more of” may occur followed by a conjunctive list ofelements or features. The term “and/or” may also occur in a list of twoor more elements or features. Unless otherwise implicitly or explicitlycontradicted by the context in which it used, such a phrase is intendedto mean any of the listed elements or features individually or any ofthe recited elements or features in combination with any of the otherrecited elements or features. For example, the phrases “at least one ofA and B;” “one or more of A and B;” and “A and/or B” are each intendedto mean “A alone, B alone, or A and B together.” A similarinterpretation is also intended for lists including three or more items.For example, the phrases “at least one of A, B, and C;” “one or more ofA, B, and C;” and “A, B, and/or C” are each intended to mean “A alone, Balone, C alone, A and B together, A and C together, B and C together, orA and B and C together.”

Use of the term “based on,” above and in the claims is intended to mean“based at least in part on” such that an unrecited feature or element isalso permissible.

Other implementations than those described herein may be within thescope of the following claims.

What is claimed is:
 1. A computer program product comprising amachine-readable medium storing instructions that, when executed by atleast one programmable processor, cause the at least one programmableprocessor to perform operations of a first installation of a contentmanagement system, the operations comprising: establishingauthentication between a first repository managed by the firstinstallation and a second repository managed by a second installation ofthe content management system, the first installation being protected bya firewall preventing access to the first repository by an externaluser; linking a content item maintained by the first repository with acopy of the content item maintained by the second repository such thatthe copy of the content item is accessible by an external user subjectto one or more access controls enforceable by the second installation,the copy comprising both content of the content item and a set ofmetadata in common with the content item at the first repository; andsynchronizing the set of metadata between the copy of the content itemand the content item in the first repository, the synchronizingoccurring via a push to the second installation of changes to thecontent item at the first repository for writing to the copy of thecontent item at the second repository, and via a pull to the firstinstallation of changes to the copy of the content item at the secondrepository for writing to the content item at the first repository, thefirst installation initiating both the push and the pull.
 2. A computerprogram product as in claim 1, wherein the access controls are definedbased on either or both of an input from an internal user of the firstinstallation who initiates the linking of the content item and the copyof the content item, and an access permission defined for an existingstructure at the second installation that is designated as a destinationfor the copy of the content item.
 3. A computer program product as inclaim 1, wherein the linking further comprises: adding the content itemto a synchronization set; associating a marker aspect with the contentitem at the first repository when the content item is added to thesynchronization set; and adding an entry in a first audit log for thesynchronization indicating addition of the content item thesynchronization set, the adding of the entry triggering a first pushsynchronization to the second installation to create the copy of thecontent item at the second repository.
 4. A computer program product asin claim 3, wherein the operations further comprise: unsynchronizing thecopy of the content item and the content item, the unsynchronizingcomprising removing the marker aspect from the content item at the firstrepository and adding an unsynchronization record to the first auditlog.
 5. A computer program product as in claim 4, wherein theunsynchronizing further comprises pushing a removal node from the firstinstallation to the second installation, the removal node causing thesecond installation to delete the copy of the content item upon receiptof the removal node.
 6. A computer program product as in claim 4,wherein the unsynchronizing further comprises pushing a removal nodefrom the first installation to the second installation, the removal nodecausing the second installation to retain the copy of the content itemwithout further reporting of changes made to the copy back to the firstinstallation.
 7. A computer program product as in claim 1, wherein thesynchronizing occurs periodically and comprises receiving from thesecond installation a change manifest generated from a second audit logthat records changes to the copy of the content item at the secondrepository occurring since a previous synchronization and reading from afirst audit log that records changes to the content item at the firstrepository occurring since the previous synchronization.
 8. A computerprogram product as in claim 7, wherein the pull further comprisesquerying the second audit log from the first installation and the pushfurther comprises sending information from the first audit log to thesecond installation.
 9. A computer program product as in claim 1,wherein the first installation serves as a system of record for changesto the content item and the second installation serves as a system ofengagement where collaborative changes to the copy of the content itemoccur.
 10. A computer program product as in claim 1, wherein the contentitem and the copy of the content item comprise one or more of a file, afolder, and a directory structure.
 11. A computer program product as inclaim 1, wherein the linking further comprises creating asynchronization set defining content for synchronization between thefirst repository and the second repository, the defining comprisingselecting the content item for inclusion in the synchronization set anda destination in the second repository to which the content item in thesynchronization set is to be synchronized.
 12. A computer programproduct as in claim 1, wherein the first repository comprises anon-premise repository protected from access by external users by afirewall, and the second repository comprises a cloud-based tenantrepository outside of the firewall.
 13. A computer program product as inclaim 12, wherein the cloud-based tenant repository comprises aplurality of sites, and wherein a synchronization set defines contentfor synchronization between the first repository and the secondrepository, the synchronization set comprising the content item forinclusion in the synchronization set and a site of the plurality ofsites in the second repository as a destination to which the contentitem in the synchronization set is to be synchronized
 14. A computerprogram product as in claim 1, wherein the synchronizing furthercomprises: sending a request for a change manifest from the firstinstallation to the second installation, the request comprising arepository identifier identifying the first repository; receiving thechange manifest from the second repository at the first repository, thechange manifest comprising a synchronization set identifier identifyinga changed synchronization set of the one or more synchronization sets,the changed synchronization set comprising the content item which hashad its copy changed at the second repository subsequent to a previoussynchronization between the first repository and the second repository;requesting from the second repository based on the change manifest, adetailed record of changes made at the second repository to the contentitem identified by the content item identifier; and receiving, at thefirst repository from the second repository, a set of changedescriptions comprising the detailed record of changes.
 15. A computerprogram product as in claim 1, wherein the establishing authenticationcomprises verifying that an internal user of the first installation hasauthorized access to a destination for the copy of the content item atthe second installation, the verifying comprising at least one ofreceiving authentication credentials provided by the first user andretrieving the authentication credentials from a credentials store. 16.A system comprising: computer hardware configured to perform operationsof a first installation of a content management system, the operationscomprising: establishing authentication between a first repositorymanaged by the first installation and a second repository managed by asecond installation of the content management system, the firstinstallation being protected by a firewall preventing access to thefirst repository by an external user; linking a content item maintainedby the first repository with a copy of the content item maintained bythe second repository such that the copy of the content item isaccessible by an external user subject to one or more access controlsenforceable by the second installation, the copy comprising both contentof the content item and a set of metadata in common with the contentitem at the first repository; and synchronizing the set of metadatabetween the copy of the content item and the content item in the firstrepository, the synchronizing occurring via a push to the secondinstallation of changes to the content item at the first repository forwriting to the copy of the content item at the second repository, andvia a pull to the first installation of changes to the copy of thecontent item at the second repository for writing to the content item atthe first repository, the first installation initiating both the pushand the pull.
 17. A system as in claim 14, wherein the computer hardwarecomprises at least one programmable processor and a machine-readablemedium storing instructions that, when executed by the at least oneprocessor, cause the at least one programmable processor to perform theoperations.
 18. A system as in claim 16, wherein the linking furthercomprises: adding the content item to a synchronization set; associatinga marker aspect with the content item at the first repository when thecontent item is added to the synchronization set; and adding an entry ina first audit log for the synchronization indicating addition of thecontent item the synchronization set, the adding of the entry triggeringa first push synchronization to the second installation to create thecopy of the content item at the second repository.
 19. A system as inclaim 16, wherein the first repository comprises an on-premiserepository protected from access by external users by a firewall, andthe second repository comprises a cloud-based tenant repository outsideof the firewall.
 20. A system as in claim 19, wherein the cloud-basedtenant repository comprises a plurality of sites, and wherein asynchronization set defines content for synchronization between thefirst repository and the second repository, the synchronization setcomprising the content item for inclusion in the synchronization set anda site of the plurality of sites in the second repository as adestination to which the content item in the synchronization set is tobe synchronized.
 21. A system as in claim 16, wherein the synchronizingfurther comprises: sending a request for a change manifest from thefirst installation to the second installation, the request comprising arepository identifier identifying the first repository; receiving thechange manifest from the second repository at the first repository, thechange manifest comprising a synchronization set identifier identifyinga changed synchronization set of the one or more synchronization sets,the changed synchronization set comprising the content item which hashad its copy changed at the second repository subsequent to a previoussynchronization between the first repository and the second repository;requesting from the second repository based on the change manifest, adetailed record of changes made at the second repository to the contentitem identified by the content item identifier; and receiving, at thefirst repository from the second repository, a set of changedescriptions comprising the detailed record of changes.
 22. Acomputer-implemented method comprising: establishing authenticationbetween a first repository managed by a first installation of a contentmanagement system and a second repository managed by a secondinstallation of the content management system, the first installationbeing protected by a firewall preventing access to the first repositoryby an external user; linking a content item maintained by the firstrepository with a copy of the content item maintained by the secondrepository such that the copy of the content item is accessible by anexternal user subject to one or more access controls enforceable by thesecond installation, the copy comprising both content of the contentitem and a set of metadata in common with the content item at the firstrepository; and synchronizing the set of metadata between the copy ofthe content item and the content item in the first repository, thesynchronizing occurring via a push to the second installation of changesto the content item at the first repository for writing to the copy ofthe content item at the second repository, and via a pull to the firstinstallation of changes to the copy of the content item at the secondrepository for writing to the content item at the first repository, thefirst installation initiating both the push and the pull.
 23. Acomputer-implemented method comprising: receiving, by a secondinstallation of a content management system from a first installation ofthe content management, confirmation that a first repository managed bythe first installation of the content management system has establishedauthentication with a second repository managed by the secondinstallation, the first installation being protected by a firewallpreventing access to the first repository by an external user;receiving, at the second installation, a link of a content itemmaintained by the first repository with a copy of the content itemmaintained by the second repository such that the copy of the contentitem is accessible by an external user subject to one or more accesscontrols enforceable by the second installation, the copy comprisingboth content of the content item and a set of metadata in common withthe content item at the first repository; and synchronizing the set ofmetadata between the copy of the content item and the content item inthe first repository, the synchronizing occurring via receipt by thesecond installation of a push from the first installation of changes tothe content item at the first repository for writing to the copy of thecontent item at the second repository, and by the second installationresponding to a pull to the first installation of changes to the copy ofthe content item at the second repository for writing to the contentitem at the first repository, the first installation initiating both thepush and the pull.